This policy outlines how Knowledge Technology Solutions, Inc., d.b.a. Quester® (“we,” “us,” or “our”) handles the disclosure of personal data to third parties in compliance with the General Data Protection Regulation (GDPR).

1. Introduction

Quester is committed to protecting the privacy and security of personal data. This policy outlines the circumstances under which we may disclose personal data to third parties and the safeguards we have in place to ensure compliance with the General Data Protection Regulation (GDPR).

2. Scope

This policy applies to all personal data processed by Quester, including personal data relating to customers, employees, contractors, and other individuals.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (“data subject”).
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
  • Third Party: Any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

4. Legal Basis for Disclosures

We may disclose personal data to third parties under the following legal bases:

  • Consent: The data subject has given explicit consent to the disclosure for one or more specific purposes.
  • Contractual Necessity: The disclosure is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering into a contract.
  • Legal Obligation: The disclosure is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate Interests: The disclosure is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. Categories of Third Parties

We may disclose personal data to the following categories of third parties:

  • Service Providers: Third parties that provide services on our behalf, such as IT services, payment processing, marketing, and customer support.
  • Business Partners: Third parties with whom we collaborate for joint activities, promotions, or partnerships.
  • Regulatory Authorities: Government agencies or regulatory bodies that require disclosure for legal or regulatory purposes.
  • Law Enforcement: Authorities to whom we are legally required to disclose information for the purpose of preventing, detecting, or investigating crime.
  • Other Third Parties: Other third parties as necessary for the purposes for which the personal data was originally collected or for compatible purposes.

6. Safeguards

We implement appropriate technical and organizational measures to ensure the security of personal data disclosed to third parties. These measures include:

  • Data Processing Agreements: We enter into data processing agreements with third parties to ensure they process personal data in compliance with GDPR requirements.
  • Due Diligence: We conduct due diligence on third parties to assess their data protection practices and ensure they have adequate safeguards in place.
  • Data Minimization: We disclose only the minimum amount of personal data necessary for the intended purpose.
  • Confidentiality: We require third parties to maintain the confidentiality of personal data and use it only for the purposes for which it was disclosed.

7. Data Subject Rights

Data subjects have the right to:

  • Access: Request access to their personal data and obtain information about how it is processed and to whom it is disclosed.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of their personal data, subject to certain conditions.
  • Restriction: Request restriction of processing of their personal data.
  • Objection: Object to the processing of their personal data based on legitimate interests.
  • Data Portability: Request to receive their personal data in a structured, commonly used, and machine-readable format and have it transferred to another controller.

8. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will notify data subjects of any significant changes by posting the updated policy on our website and, where appropriate, by other means.

9. Contact Information

If you have any questions or concerns about this policy or our data protection practices, please contact us at:

Quester
Attention: Privacy Officer
6500 University Avenue
Suite 205
Des Moines, IA 50324
privacy@quester.com

Last reviewed and modified on July 11, 2024